Add --zizmor flag to compile command for security scanning

[Copilot]

Adds a --zizmor flag to the compile command that runs the zizmor security scanner on generated .lock.yml files.

Changes

Flag Implementation

• Added Zizmor bool field to CompileConfig struct
• Registered --zizmor flag in compile command with Cobra
• Implemented runZizmor() function that executes Docker container: docker run --rm -v "$(pwd)":/workdir -w /workdir ghcr.io/zizmorcore/zizmor:latest .

Exit Code Handling

• Exit codes 10-14 (security findings) treated as warnings, not failures
• Compilation succeeds even when zizmor finds issues
• Only actual tool failures (exit codes outside 10-14 range) cause compilation to fail

Integration Points

• Runs after successful compilation when flag is set
• Skipped when --no-emit is used
• Works with both specific file and batch compilation modes

Example Usage

# Scan all workflows
gh aw compile --zizmor

# Output shows findings without failing
✓ Compiled 1 workflow(s): 0 error(s), 1 warning(s)
ℹ Running zizmor security scanner on generated .lock.yml files...
error[template-injection]: code injection via template expansion
  --> ./.github/workflows/demo.lock.yml:67:46
⚠ Zizmor found security findings (see output above)

Testing

Added integration test TestCompileWithZizmor that initializes git repository (required by zizmor) and verifies scanner execution and output display.

Original prompt

Add a flag "--zizmor" to "compile" that runs the zizmor tool on generated .yml files.

docker run --rm -v "$(pwd)":/workdir -w /workdir ghcr.io/zizmorcore/zizmor:latest .

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

Agentic Changeset Generator triggered by this pull request.

[Copilot]

Pull Request Overview

This PR adds a --zizmor flag to the compile command that runs the zizmor security scanner on generated .lock.yml files after successful compilation.

Key Changes:

• Added --zizmor flag to compile command that executes zizmor via Docker container
• Exit codes 10-14 from zizmor are treated as warnings rather than failures
• Integration test validates the flag's functionality with git repository setup

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
cmd/gh-aw/main.go	Registered --zizmor flag in compile command and passed it to CompileConfig
pkg/cli/compile_command.go	Implemented runZizmor() function and integrated it into compilation workflow
pkg/cli/compile_integration_test.go	Added integration test for zizmor flag functionality

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.